Jump to content

Recommended Posts

Hi

 Got the following detections on my nebula endpoints detecting cyberlink media suite registry entries and uninstall file - Which is present on most dell system.

  • Category: Malware
  • Group name: ITmachines
  • Public endpoint IP: 
  • Endpoint name:
  • OS platform: Windows
  • OS release name: Microsoft Windows 10 Pro
  • Location: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|C:\PROGRAM FILES (X86)\CYBERLINK\SHARED FILES\RICHVIDEOUNINSTALL.EXE
  • Policy name: ITmachines
  • Report time: June 2nd 2023, 11:10:16 UTC
  • Scan time: June 2nd 2023, 11:01:00 UTC
  • Action taken: Quarantined
  • Threat name: Malware.AI.2019312709
  • Type: reg_value

 

  • Category: Malware
  • Group name: ITmachines
  • Public endpoint IP: 
  • Endpoint name: 
  • OS platform: Windows
  • OS release name: Microsoft Windows 10 Pro
  • Location: C:\PROGRAM FILES (X86)\CYBERLINK\SHARED FILES\RICHVIDEOUNINSTALL.EXE
  • Policy name: ITmachines
  • Report time: June 2nd 2023, 11:10:16 UTC
  • Scan time: June 2nd 2023, 11:01:00 UTC
  • Action taken: Quarantined
  • Threat name: Malware.AI.2019312709
  • Type: file

The diagnostics zip file is to large to upload if you need it let me know which file in the zip to send. I did attach file though

 

richvideouninstall.zip

Link to post
Share on other sites

Did an update and restored and then re ran - it still detected but also removed an additional file - as well as the zip file

The machine run scans every 4 hours everyday and prior scans were fine no detection on same files

  • Category: Malware
  • Group name: ITmachines
  • Public endpoint IP: 
  • Endpoint name:
  • OS platform: Windows
  • OS release name: Microsoft Windows 10 Pro
  • Location: C:\USERS\NFHRA\APPDATA\ROAMING\Microsoft\Windows\Recent\richvideouninstall.lnk
  • Policy name: ITmachines
  • Report time: June 2nd 2023, 12:14:57 UTC
  • Scan time: June 2nd 2023, 12:06:10 UTC
  • Action taken: Quarantined
  • Threat name: Malware.AI.2019312709
  • Type: file

Ran a scan against the file with EMSISOFT and it came back as clean

Link to post
Share on other sites

Still detecting on several endpoints --  I'm just removing now since I cant seem to get them to see the update -- unless only stand alone got the update and not Nebula endpoints - So far still getting detections on this file -- I know its a false ID Emsisoft and others are seeing it clean -- and its always the preinstalled dell version that is getting detected. Yesterday and all through the night scans went fine still the update this morning.

 

Any suggestions on getting these endpoints to actually see the correction ?

Link to post
Share on other sites

  • Staff

I disabled the rule totally so there shouldn't be any more hits. A couple more files with different MD5 if possible would be good so we can strengthen our fp prevention on this. 
Give it a few minutes and push out another update to your endpoints. Let me know.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.